"managed-keys" zone is created even with "dnssec-validation no;"
With the following configuration file:
options {
dnssec-validation no;
};named logs the following lines upon startup:
13-May-2022 07:06:05.967 set up managed keys zone for view _default, file 'managed-keys.bind'
13-May-2022 07:06:05.971 managed-keys-zone: loaded serial 0and indeed creates a zone attached to the _default view which only
contains a SOA record.
The same thing happens for dnssec-validation yes;.
This is harmless, but confusing at best, for two reasons:
-
The
managed-keys.bindfile is never written to, despite what the log message suggests. -
No managed keys are ever refreshed or used.
Introduced by commit 778a01b1, i.e. in BIND 9.7.1.
See also #1961 for more logging confusion related to RFC 5011.